Skip to main content

Recent updates to Prometei botnet reveal enhanced modules and expanded capabilities

The Prometei botnet has been an ongoing threat since Cisco Talos first reported on it in 2020. As of November 2022, the botnet has improved its infrastructure components and capabilities, including certain submodules of the execution chain that automate processes and challenge forensic analysis methods. Based on data obtained by sinkholing the DGA domains over a one-week period in February 2023, the Prometei v3 botnet is estimated to be of medium size, with more than 10,000 infected systems worldwide. The actors have been actively spreading improved Linux versions of the bot, continuously improving the current version.

Recent observations have revealed previously undocumented functionality, such as an alternative C2 domain generating algorithm, a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell deployed onto victim hosts, improving the overall technical capabilities of the botnet. Additionally, the bot's targeting may have been influenced by the war in Ukraine, as the only excluded country in the Tor configuration is Russia, as opposed to earlier variants, which also avoided exit nodes in other CIS countries.

Prometei primarily deploys the Monero cryptocurrency miner and has worm-like capabilities, posing a persistent threat to organizations. Talos has observed the botnet's financial motivation through cryptocurrency mining and credential theft activity, with infections likely opportunistic, targeting vulnerable entities in all regions and industry verticals.

Based on data acquired through sinkholing the DGA domains, the geographical distribution of infected systems is proportional to the population of the countries, with traffic captured from 155 countries. The most populous countries have the largest number of infected systems, with exceptions in Brazil, Indonesia, and Turkey displaying a higher proportion of infections compared to those countries' populations. Russia stands out as having a disproportionately smaller number of infections, accounting for 0.31 percent of all infected systems, supporting the assessment that the bot's targeting is influenced by the Russia-Ukraine conflict based on its Tor configuration.

The Prometei threat remains ongoing and is expected to evolve for the foreseeable future. The botnet's common C2 infrastructure continues to show a steady stream of activity, with the operators consistently rotating its malware and cryptomining hosts. The regular updating and expansion of Prometei's modules demonstrate commitment and technical knowledge that will enable them to continue proliferating the botnet to new victims and adapting to new defenses and protections. The addition of backdoor capabilities and a bundled web shell could indicate the operators' efforts to add persistence measures to keep Prometei active on targeted machines or a gradual shift or expansion to other types of payloads and activity.


Popular posts from this blog

Unleashing Chaos: Craxs Rat Update V5 Introduces Terrifying New Features

The notorious Craxs Rat malware has recently unleashed its latest version, Update V5, introducing a range of new features and enhancements. This update further strengthens the capabilities of Craxs Rat, posing an increased threat to individuals and organizations alike. In this article, we delve into the details of the updated features of Craxs Rat V5, shedding light on its improved functionality and potential impact on cybersecurity.

Prilex: The Most Advanced PoS Malware with the Ability to Block Contactless Payments

Prilex is a highly advanced malware that has evolved from ATM-focused malware into a unique modular PoS malware, known to be the most advanced PoS threat seen so far. It has a unique cryptographic scheme, performs real-time patching in target software, forces protocol downgrades, manipulates cryptograms, performs GHOST transactions and performs credit card fraud. Recently, three new versions of Prilex have been discovered with the ability to block contactless payment transactions, which have become popular due to the pandemic. These new versions block NFC-based transactions and force victims to use their physical card by inserting it into the PIN pad reader, which allows the malware to capture the data coming from the transaction.

BlackLotus UEFI Bootkit: A New Threat to Windows Security

In March 2023, security researchers from ESET announced the discovery of a new UEFI bootkit called BlackLotus . This bootkit is capable of bypassing UEFI Secure Boot, a security feature that is designed to prevent malware from infecting a computer's firmware. Once BlackLotus is installed, it can give an attacker complete control over the computer, including the ability to steal data, install other malware, and disrupt the computer's operation. BlackLotus is a sophisticated piece of malware that is difficult to detect and remove. It is also relatively new, so there is limited information about how it works. However, ESET researchers have been able to learn a lot about BlackLotus, and they have published a detailed analysis of the malware.